Project: dsec to Vault Migration
Executive Summary
Migrate dsec secrets management from age-encrypted flat files to HashiCorp Vault KV secrets engine, enabling centralized secrets management, audit logging, and HA redundancy.
Current State: dsec uses age-encrypted files stored in ~/.secrets/env/ with manual key management.
Target State: dsec reads/writes secrets from Vault KV engine with full audit trail, access policies, and optional HA clustering.
Benefits:
-
Centralized secrets with audit logging
-
Fine-grained access control via policies
-
Dynamic secrets generation (future)
-
HA/DR with Raft clustering
-
Secrets rotation without re-encrypting files
Timeline
| Phase | Description | Status |
|---|---|---|
Phase 1 |
KV Engine Setup |
Not Started |
Phase 2 |
Access Policies |
Not Started |
Phase 3 |
Authentication |
Not Started |
Phase 4 |
dsec CLI Modification |
Not Started |
Phase 5 |
Secret Migration |
Not Started |
Phase 6 |
Transition Period |
Not Started |
Phase 7 |
Deprecate Age |
Not Started |
Phase 8 |
HA/Redundancy |
Future |
Success Criteria
-
All dsec workflows work with Vault backend
-
Audit log captures all secret access
-
No secrets stored in age files (except archive)
-
Documentation complete
-
HA cluster operational (Phase 8)